VULCAIN

Projet-MSTIC, 2009-2010

Introduction

The Vulcain project is funded by the University Joseph Fourier, pôle MSTIC.

Nowday, many software systems are built by the combination of several existing applications and libraries. A programming error (or even a lack of internal checks) within a single component, may result in a vulnerability.
If such a vulnerability can be activated by an external user it becomes a security hole, able to compromise the whole system (in terms of denial of service, access to confidential data, or execution of arbitrary external code).

Numerous potential vulnerability alerts are reported every days and they are most of the time followed by security patches provided by the software editors. However, developing and testing such patches is costly for the editors, and applying these patches may be also costly for the end users (changing a component may lead to unforeseen behaviors of the whole system).

Therefore, it is important for both parties to have some concrete tools for detecting potential software vulnerabilities, but also to check if such a vulnerability may (or may not) be activated on a given system configuration, within a particular execution context.

Objectives

The project objective is to offer some automatic techniques for vulnerability analysis in a “classical” LAMP environment (Linux-Apache-MySQL-Php).
We will focus on the combination of several approaches.

a white-box approach, based on code analysis and test execution on internal components:
The purpose here is to identify potentially vulnerable statements by means of static analysis (e.g, taint-analysis)
and predefined vulnerability patterns. These results will then help to select the most promising test sequences
able to activate such potential vulnerabilities.

a black-box approach, based on fuzzing and machine learning on the whole system:
The purpose here is to improve the classical fuzzing techniques by taking into account a speculative model of the
application control flow (obtained by a machine learning). The choice of the fuzzing values will then depend on the
current control state.

In addition, practical experiments might be conducted using the parallel computing facilities of the Grid’5000 environment.